Cointelegraph Bitcoin & Ethereum Blockchain News

What is a crypto drainer?

A crypto drainer is a malicious script designed to steal cryptocurrency from your wallet. Unlike regular phishing attacks that try to capture login credentials, a crypto drainer tricks you into connecting your wallets, such as MetaMask or Phantom, and unknowingly authorizing transactions that grant them access to your funds.

Disguised as a legitimate Web3 project, a crypto drainer is usually promoted via compromised social media accounts or Discord groups. Once you fall prey to the fraud, the drainer can instantly transfer assets from the wallet.

Crypto drainers may take various forms:

Crypto drainers are a growing threat in Web3, enabling quick, automated theft of crypto assets from unsuspecting users through deception. Common methods of crypto drainers include:

Phishing websites.
Fake airdrops.
Deceptive ads.
Malicious smart contracts.
Harmful browser extensions.
Fake NFT marketplaces.

Crypto drainers-as-a-service (DaaS), explained

DaaS elevates the threat of crypto drainers by commercializing them. Just like software-as-a-service (SaaS) platforms, DaaS platforms sell ready-to-use malware kits to cybercriminals, often in exchange for a percentage of the stolen funds.

In the DaaS model, developers offer turnkey draining scripts, customizable phishing kits and even integration help in exchange for a share of the stolen funds. A DaaS offer might be bundled with social engineering support, anonymization services and regular updates, making them attractive even to low-skill scammers.

Types of crypto DaaS tools include:

JavaScript-based drainers: Malicious JavaScript is embedded into phishing websites that mimic legitimate decentralized apps (DApps). These scripts execute when you connect your wallet, silently triggering approval transactions that drain assets.
Token approval malware: Tricks users into granting unlimited token access via malicious smart contracts.
Clipboard hijackers: Hackers use clipboard hijackers to monitor and replace copied wallet addresses with those controlled by attackers.
Info-stealers: They harvest browser data, wallet extensions and private keys. Some DaaS packages combine these with loader malware that drops additional payloads or updates the malicious code.
Modular drainer kits: Segregated into modules, these drainers use obfuscation techniques to bypass browser-based security tools.

Did you know? According to Scam Sniffer, phishing campaigns using wallet drainers siphoned off over $295 million in NFTs and tokens from unsuspecting users in 2023.

What crypto DaaS kits include

Crypto DaaS kits are pre-built toolsets sold to scammers, enabling them to steal digital assets with minimal technical skill. These kits typically include phishing page templates, malicious smart contracts, wallet-draining scripts and more.

This is what crypto DaaS kits generally include:

Pre-built drainer software: Plug-and-play malware requiring minimal setup.
Phishing kits: DaaS providers supply customizable phishing website templates that hackers can modify according to their plans.
Social engineering: With DaaS, hackers find support for social engineering along with psychological tactics to trick users into connecting their wallets.
Operational security (OPSEC) tools: To avoid detection, some DaaS vendors offer advanced operational security tools that mask user identity and hide digital footprints.
Integration assistance and/obfuscation: These services help attackers deploy drainer scripts seamlessly and use obfuscation tools to evade tracking.
Regular updates: Frequent improvements are designed to bypass wallet defenses and detection systems.
User-friendly dashboards: Control panels that help attackers oversee operations and monitor drained funds.
Documentation and tutorials: Step-by-step instructions enabling even beginners to execute scams efficiently.
Customer support: Some DaaS operators provide real-time help through secure messaging apps like Telegram.

With DaaS kits available for as little as $100 to $500, or through subscription models, sophisticated crypto attacks are no longer limited to experienced hackers. Even the inexperienced can now access these scripts with a small budget, effectively democratizing this type of crime.

Did you know? Advanced DaaS tools often update scripts to evade detection from browser extensions like WalletGuard and security alerts issued by MetaMask or Trust Wallet.

Evolution of crypto drainers as prominent fraudulent activity

The threat landscape of cryptocurrency fraud is constantly evolving. Emerging around 2021, crypto drainers have rapidly transformed the landscape. Their ability to stealthily siphon funds from users’ wallets has made them a threat that demands vigilance.

Drainers specifically designed to target MetaMask began to emerge around 2021 and were openly advertised on illicit online forums and marketplaces.

A 2021 thread on Metamask drainer services

Here are some prominent drainers that have been around for some time:

Chick Drainer: It emerged in late 2023, targeting Solana (SOL) users through phishing campaigns. It operates using the CLINKSINK script, embedded in fake airdrop websites.
Rainbow Drainer: The platform shares code similarities with Chick Drainer, suggesting potential reuse or collaboration among threat actors.
Angel Drainer: Launched around August 2023, Angel Drainer is widely promoted on Telegram by threat groups like GhostSec. Affiliate scammers need to make an upfront payment between $5,000 and $10,000 and also pay a 20% commission on all stolen assets facilitated through its platform.
Rugging’s Drainer: Compatible with several crypto platforms, this DaaS drainer offers comparatively low commission fees, typically ranging from 5% to 10% of the stolen proceeds.

In the wake of the US Securities and Exchange Commission’s X account being compromised in January 2024, Chainalysis found a crypto drainer acting as the SEC. This led users to connect their wallets in an attempt to claim nonexistent airdropped tokens.

Chainalysis's crypto drainer alert

According to a Kaspersky Security Bulletin, dark web threads discussing crypto drainers rose sharply in 2024, jumping by 135% to 129 threads from 55 in 2022. These conversations encompass a wide range of topics, including buying and selling malicious software and forming distribution teams.

As the following chart demonstrates, crypto drainers have been stealing crypto at a faster quarterly growth rate than even ransomware.

How the quarterly growth rate in value stolen by crypto drainers compares with value extorted in ransomware attacks, Q1 2023 - Q1 2024

Red flags to identify a crypto DaaS attack

Spotting a crypto wallet drainer attack early is crucial to minimizing potential losses and securing your assets. You must be careful, as a sophisticated drainer attack can sometimes evade standard alert mechanisms. You must remain vigilant even while relying on automated tools.

Here are a few indicators that your wallet may be under threat:

Unusual transactions: A red flag of a drainer attack is finding transactions you didn’t authorize. These may include unexpected token transfers or withdrawals to unknown wallet addresses. Sometimes, attackers execute multiple small transfers to avoid detection, so you must monitor for repeated unusual transactions of low-value crypto.
Lost access to wallet: If you cannot access your wallet or your funds are missing, it could mean an attacker has taken control. This often happens when the drainer changes private keys or recovery phrases, effectively locking you out.
Security alerts from wallet providers: Your crypto wallet may issue security alerts for suspicious actions, like logins from new devices, failed access attempts or unauthorized transactions. These warnings indicate that someone may be trying to access your wallet or has already accessed it.
Fake project websites or DApps: If you find a cloned or newly launched platform mimicking a real Web3 service and prompting wallet connections, it is a warning sign of a crypto drainer. It might also have urgent calls to action, urging users to immediately claim rewards, airdrops, or mint NFTs. The objective is to pressure victims into connecting wallets without verifying authenticity.
Unverified social media promotions: Suspicious links shared via X, Discord, Telegram or Reddit, often unverified profiles, indicate a fraudulent attempt to drain money from a wallet. Fraudsters may also use compromised accounts to share malicious links.
Unaudited smart contracts: Interacting with unfamiliar contracts without public audits or GitHub transparency can expose wallets to hidden drainer scripts.
Wallet prompts requesting broad permissions: Sign-in or approval requests that ask for full token spending access or access to all assets, rather than specific transactions, are serious warning signs.

Did you know? Just one popular drainer kit can be used by hundreds of affiliates. That means a single DaaS platform can be behind thousands of wallet thefts in a matter of days.

How to protect your crypto wallet from DaaS attackers

To protect your crypto wallet from DaaS attackers, adopting strong, proactive security practices is essential. Blockchain monitoring tools can help identify suspicious patterns linked to drainer activity, allowing you to respond quickly.

Here are key strategies to help protect your digital assets:

Use hardware wallets: Hardware wallets, or cold wallets, store private keys offline, shielding them from online threats like malware and phishing. Keeping your keys in a physical device significantly lowers the risk of remote attacks and is ideal for securing long-term crypto holdings.
Enable 2FA (two-factor authentication): Adding 2FA to your wallet means even if someone steals your password, they will need a second verification step. They need to put in a verification code sent to your phone to access the account, along with your password, making unauthorized access much harder.
Avoid phishing links: Always verify URLs and avoid clicking on unsolicited messages claiming rewards or updates. Never input private keys or seed phrases on suspicious sites. When in doubt, manually enter the correct website address.
Secure your private keys and seed phrases: Store your private keys and seed phrases offline in a safe, physical location. Never save these credentials on internet-connected devices, or hackers might get access to them, putting your wallet at risk.
Verify apps and browser extensions: Take care to install software only from official sources. Research apps beforehand to avoid malicious or fake tools.
Monitor wallet activity regularly: Check your wallet for unauthorized transactions or unusual patterns. Early detection can help stop further losses and improve recovery chances.

What to do if you suffer from a crypto-drainer attack

Swift action is essential if you suspect your crypto wallet has been compromised. Though fund recovery is rare, quick action can limit further losses.

Here are the steps you need to take if you suffer from a crypto DaaS attack:

Secure your accounts: Immediately change the password for your wallet and enable 2FA, if you still have access to it. Transfer any remaining funds to a secure, uncompromised wallet.
Notify your wallet provider or exchange: Report the incident to your wallet provider or exchange. You could request them to monitor your account or freeze suspicious activity. Platforms may flag suspicious addresses or prevent further transfers.
File a report with authorities: Contact local law enforcement or cybercrime units, as cryptocurrency theft is treated as a financial crime in most regions.
Seek professional assistance: Cybersecurity firms specializing in blockchain forensics can analyze transactions and potentially trace the stolen funds. While full recovery is unlikely, especially if assets pass through mixers or bridges, expert help may aid investigations.